#!/bin/bash
set -euxo pipefail

exec > >(tee /var/log/desineuron-ingress-bootstrap.log | logger -t user-data -s 2>/dev/console) 2>&1

dnf update -y
dnf install -y curl tar gzip unzip jq policycoreutils-python-utils

systemctl enable amazon-ssm-agent
systemctl restart amazon-ssm-agent

useradd --system --home /var/lib/caddy --shell /sbin/nologin caddy || true
install -d -o caddy -g caddy -m 0755 /etc/caddy /var/lib/caddy /var/log/caddy
install -d -m 0755 /etc/rathole /opt/rathole

cat >/etc/ssh/sshd_config.d/10-desineuron-hardening.conf <<'EOF'
PasswordAuthentication no
KbdInteractiveAuthentication no
PermitRootLogin no
PubkeyAuthentication yes
EOF
systemctl restart sshd

CADDY_VERSION="v2.10.2"
CADDY_URL="https://github.com/caddyserver/caddy/releases/download/${CADDY_VERSION}/caddy_2.10.2_linux_arm64.tar.gz"
RATHOLE_VERSION="v0.4.3"
RATHOLE_URL="https://github.com/rapiz1/rathole/releases/download/${RATHOLE_VERSION}/rathole-aarch64-unknown-linux-musl.zip"

tmp_dir="$(mktemp -d)"
cd "$tmp_dir"
curl -fL "$CADDY_URL" -o caddy.tar.gz
tar -xzf caddy.tar.gz
install -m 0755 caddy /usr/local/bin/caddy
setcap cap_net_bind_service=+ep /usr/local/bin/caddy || true

curl -fL "$RATHOLE_URL" -o rathole.zip
python3 - <<'PY'
import zipfile
z = zipfile.ZipFile("rathole.zip")
z.extractall(".")
PY
install -m 0755 rathole /usr/local/bin/rathole
rm -rf "$tmp_dir"

cat >/etc/systemd/system/caddy.service <<'EOF'
[Unit]
Description=Caddy
After=network-online.target
Wants=network-online.target

[Service]
User=caddy
Group=caddy
ExecStart=/usr/local/bin/caddy run --environ --config /etc/caddy/Caddyfile
ExecReload=/usr/local/bin/caddy reload --config /etc/caddy/Caddyfile
TimeoutStopSec=5s
LimitNOFILE=1048576
PrivateTmp=true
ProtectSystem=full
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
Restart=on-failure

[Install]
WantedBy=multi-user.target
EOF

cat >/etc/systemd/system/rathole-server.service <<'EOF'
[Unit]
Description=Desineuron Rathole Server
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
ExecStart=/usr/local/bin/rathole /etc/rathole/server.toml
Restart=always
RestartSec=5
User=root

[Install]
WantedBy=multi-user.target
EOF

cat >/etc/logrotate.d/caddy <<'EOF'
/var/log/caddy/*.log {
  daily
  rotate 14
  compress
  missingok
  notifempty
  copytruncate
}
EOF

touch /etc/caddy/Caddyfile
touch /etc/rathole/server.toml

systemctl daemon-reload
systemctl enable caddy.service
systemctl enable rathole-server.service